Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:40 AM
Natalie Lehr
Natalie Lehr
Connect Directly
E-Mail vvv

Cyber Security Practices Insurance Underwriters Demand

Insurance underwriters aren't looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks.

With security breaches on the rise, IT professionals spend a lot of time questioning what kinds of cyber risk their companies’ insurance policies will cover. However, as those policies quickly move from optional to necessary, insurance companies are the ones asking the hard questions.

Before underwriters give the green light to cyber liability coverage, they want to see proof of insurability. That doesn’t mean they’re looking at your actuarial risk. To the contrary, regardless of past history, virtually every company today is susceptible to hacking or insider threats. That is the new reality. Therefore, insurance companies are focusing on factors beyond historic risk to inform their decisions.

When you seek out cyber insurance, underwriters will ask that you demonstrate your insurability as part of the pre-binding due diligence process. Doing so involves three primary factors:

Your understanding of cyber risk
The days when cyber risk was considered an IT problem are over. Today, cyber risk is an issue your entire business must address. In order to demonstrate that your organization fully understands the scope of cyber risk, evaluate it in a holistic manner. Consider the many directions from which an attack might come, the many forms it might take, the many information assets it might target, and the many motives that might spur it. Possibilities might include:

  • A hacker group that views your company as an attractive political target
  • A trusted insider who could be enticed to sell your intellectual property to a competitor
  • One of your third-party service providers that is vulnerable to a malware attack, which could also expose your customers’ personally identifiable information

Savvy companies know that the risks come in many forms, so be ready to explain what policies and tools you have in place to address a variety of threats.

Your ability to mitigate a cyber attack
The ultimate goal for any security strategy is to prevent an attack from occurring in the first place, but unfortunately that’s not entirely reasonable. The next best thing is to minimize the harm it causes. No company is entirely inoculated from risk, but those that are prepared for it in advance suffer less. To prepare, your company needs to understand the threat landscape outlined above. That means assessing real-time risk across the entire ecosystem of your business: upstream, downstream, and inside your own organization. Unless you’re evaluating your weaknesses in a holistic manner, you won’t convince an insurer of your ability to identify an attack, never mind stop one.

You’ll need to show underwriters that you’re serious about security by conducting a holistic risk assessment before you face any known threats. Gather intelligence about which assets are your highest priorities, and which are most exposed. Then, align your security investments and resources to address those vulnerabilities. This can include a combination of perimeter and end-point solutions, and should incorporate extensive employee training. Showing that your organization has a strong cyber security culture goes a long way toward establishing security maturity.

Your likelihood of returning to business operations quickly 
Cyber insurers know that your business is at risk -- all businesses are. However, you can increase your organization’s chances of receiving a policy by demonstrating cyber resilience. Do this by adopting mature security practices, continuously assessing risk, and creating a plan for business continuity during and after an attack. This is of great interest to cyber insurance underwriters, who want to see that you can stem data loss, protect your brand, and retain customer loyalty, even after an attack. All parties will benefit from an organization’s ability to mitigate risk, shorten attacks, and get back to business quickly, thereby reducing losses.

Insurance underwriters aren’t looking for clients that are impervious to cyber risk. There are no longer any companies that fall into that category, unfortunately. What they are looking for are businesses that understand the threat landscape and their own risks and have established a cyber security culture demonstrated through mature security practices. As you seek out the most beneficial cyber insurance policy your company can find, be prepared to prove that your organization is committed to not only improving its cyber security company-wide, but also to reducing data and financial loss resulting from an attack.

Natalie Lehr is co-founder and Vice President of Analytics at security consultancy TSC Advantage . With more than 15 years of experience as an intelligence professional, her expertise spans both the government and commercial sectors. Her work for the US government includes ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/8/2015 | 5:15:20 PM
Re: Cyber Insurance
Good article, many thanks. In addition to this good advice, I would like to make security professionals aware that actually they are unlikely to be anything other than important influencers in the evaluation of cyber insurance cover for their organisations and in some cases (although wrongly) they might not even be consulted. This is because if their organisation is large enough to warrant the valuable risk assessment advice given here, it will also be very likely to have a senior executive e.g. Chief Risk Officer, Company Secretary, CFO, General Counsel etc. , often on the Board, who is responsible for the insurance portfolio of cover for the business and the decision to purchase; and oftentimes the decision to even consider cyber insurance in the first place will be taken by them and heavily influenced by their insurance broker. Underwriters are of course a key part of the puzzle and many will be happy to speak to the client directly but usually always under the watchful eye of the intermediary. When it comes to cyber insurance, underwriters have historically been more involved because brokers have been slow to skill up to help the clients assess and provide the necessary information for the insurance cover to be agreed. This situation is gradually changing as brokers tune into the business potential but the complexities of cyber risk mitigation often leaves them less than confident when advising their clients. In order to become part of the process it is vitally important that Infosec professionals first understand how their organisations insurance cover is managed if they are to intervene in, or even initiate/preempt the process of evaluating and potentially acquiring suitable cyber insurance. Remember that just as Boards have often (unfortunately) paid little heed to their IT departments and Infosec team before, it is likely not to be messages from their own staff that eventually get cyber risk to their attention! Instead it will be the rising trend of breaches reported in the media, advice and discussions with their fellow executives and non-executives and interactions with their incumbent brokers chatting informally about the new 'cyber products' they have on offer over drinks at the 19th hole. Nevertheless, once politics and process are understood and navigated, the good news is that, for those Infosec professionals who are often frustrated that they don't get listened to at suitably high levels (and cyber risk is right up there now) then this truly is an opportunity to have their voice heard and surely it is one which is very worthwhile pursuing. There are a few truly independent cyber risk insurance specialists who are not brokers and who have a strong background in Infosec and I could not recommend Infosec professionals to seek such advice more highly given that many are (rightly or wrongly) a bit sceptical of insurance brokers. Such advice would also be vital if the Infosec professionals are to be able to understand both the risk profile(s) and response capability of their organisation and be able to speak with reasonable authority when informing their executives decisions on the ideal cyber insurance cover for their organisation.
User Rank: Author
12/15/2014 | 5:26:47 PM
Re: Cyber Insurance
Thanks for your comment, Joe. 

I agree that cyber coverage should be comprehensive and multifaceted. Good policies do more than merely transfer asset value risk; they should also include coverage related to expenses and services that enable a speedy recovery. Asset value is one way of determining the value of coverage, but it should equally defend intangible assets. 

Cyber resiliency is a function of holistic business investments that together reduce the probability of compromise and accelerate a company's safe return to normal operations. Cyber assessments - as part of risk informed planning - help companies and underwriters identify areas of potential risk. Underwriters recognize they can create additional value for their clients by enabling more proactive security planning coverage in advance of a breach. Coverage dialogue can then center on obtaining the right product relative to their clients' specific security posture. 
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
12/15/2014 | 12:34:52 AM
Cyber Insurance
Of course, what you want covered can play a big part -- which is where this self-assessment can really help.  Retroactive coverage for as-of-yet-unknown breaches comes to mind.  Ditto for content injury liability.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.